Saudi Arabia applies a “Mandatory List” of national products in government procurement. Under the Regulations on Preference for Local Content and Local SMEs and Companies Listed on the Capital Market, the Mandatory List is defined as a list of national products issued and regularly updated by the Local Content and Government Procurement Authority (LCGPA) (Art. 1) and made available on the LCGPA website. Government entities shall require bidders to source the products in the Mandatory List locally (Arts. 4(1) and 7(1)). In practice, foreign suppliers cannot offer imported products in categories covered by the Mandatory List and must either source listed items from Saudi manufacturers or localise production (e.g. through joint ventures or local manufacturing), otherwise their bids may be rejected or their supplies refused for non-compliance.

Art. 11.9 of the Regulations for Importation and Licensing of Telecommunications and Information Technology Equipment provides a general requirement to disclose details of encryption systems contained in ICT equipment being imported, including equipment imported for government public procurement.

Art. 35 of the Government Tenders and Procurement Law provides that government contracts may include knowledge transfer obligations, encompassing both practical and theoretical skills. Art. 58 of Ministerial Decision No. 3479/1441 (Implementing Regulations) further allows the competent authority to conclude contracts aimed at industry localisation and knowledge transfer, provided this does not result in monopolisation and takes account of technological and industrial developments. The authority must, in coordination with the Center of Spending Efficiency (CSE) and relevant bodies, prepare a feasibility study, obtain ministerial approval, and then develop the tender documents and contract forms. The resulting agreement must also specify, in coordination with the beneficiaries, the quantities or proportions of localised products or knowledge that government entities commit to purchase.

Oman has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

Oman has adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

Oman has adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

According to Art. 2 of Ministerial Decision No. 499/2023 issuing the Electronic Commerce Regulations, e-commerce activities may only be carried out upon obtaining a licence from the Department of Commercial Affairs and E-Commerce at the Ministry of Commerce, Industry and Investment Promotion. Under Arts. 3 and 8 of the Decision, commercial companies engaging in e-commerce must be registered in the Omani commercial register and have their place of business for conducting e-commerce at the address specified in that register.
Art. 1(4) defines “e-commerce” as any economic activity conducted between the licensee and the consumer through electronic means or an electronic store, for the sale, display, marketing or promotion of goods or services, or for the exchange of data relating thereto. The Regulations are reported to cover businesses selling products or services via websites, social media platforms and online marketplaces.

According to Art. 10 of the Ministerial Decision No. 2023/499 on the Issuance of the Electronic Commerce Regulations, an e-commerce licensee must be affiliated with a bank or payment service provider licensed in the Sultanate of Oman in order to provide the necessary payment tools for consumers to make payments.

Oman does not implement any de minimis threshold, which is the minimum value of goods below which customs do not charge duties.

It is reported that in order to register a ".om", ".com.om" or ".co.om" domain, the domain owner must have a local administrative contact in Oman.

Ministerial Decision No. 499/2023 issuing the Electronic Commerce Regulations and the Consumer Protection Law adopted by Royal Decree No. 66/2014 establish a comprehensive framework for consumer protection that also applies to online transactions.
While the Consumer Protection Law has been in force since 2014 and did not provide a comprehensive consumer protection regime applicable to electronic transactions, the Electronic Commerce Regulations introduce e-commerce-specific obligations, including requirements to provide accurate information on goods or services, data protection measures, complaint-handling procedures, contact and customer service details, replacement and return policies, and the terms and conditions of use of the online store (Art. 9). In addition, e-commerce operators must provide clear mechanisms for correcting errors in orders before delivery or shipment (Art. 11), as well as a means for consumers to request the suspension of electronic notifications (Art. 12).

According to the GSO Technical Regulation for Low Voltage Electrical Equipment and Appliances – BD-142004-01, which includes an amendment and an update of the first edition, number (BD07070503) was implemented in 2007. Electrical appliances designed to be used in a certain rated voltage range must be sold bearing the G mark after being certified by the GCC Notified Body.
Products that fall under List 1 under the Regulation are low-risk; thus, a self-declaration form prepared by the manufacturer can be made by affixing the “G” before placing the product on the market. Products that fall under List 2 are higher-risk electrical products, which will undergo mandatory Type testing and review of the product's Technical File to verify conformity before authorisation is granted to affix the “G” mark before placing the product onto the market.
However, for List 2 products, manufacturers must choose a single Notified Body (NB) entity to examine the technical design of a product and verify that the technical design of the product meets the requirements of the applicable Gulf Technical Regulations and for the issuance of an evaluation report with a Gulf Type Examination certificate and shall be issued a certificate from the NB.
Moreover, according to Art. 1 of the Omani Quality Mark and Certificate of Conformity Regulations, a non-Omani Supplier's Declaration of Conformity, as long as it abides by the provisions of the regulation are accepted.

The country’s Telecommunications Regulatory Act (Art. 48) requires a license from the Minister in order to utilise encryption in telecommunications or between computer networks. The license determines who may operate, the conditions of operating, fees imposed for the issue of the license, and control of the encryption key.

Pursuant to the Telecommunications Regulatory Act, the Telecommunications Regulatory Authority issued Decision No. 37/2008. In accordance with Arts. 4 and 5, dealing in encryption systems or equipment should only be permitted after obtaining the Authority’s approval. The following are required to obtain the Authority’s approval to deal with encryption systems or equipment:
- Registration with the Authority to deal in encryption systems or equipment;
- Submission of a statement showing the type and specifications of all encryption systems or equipment intended to deal in;
- A sample of the encryption system or equipment intended to be dealt with whenever requested by the Authority. Where samples are submitted, the Authority may retain them in whole or in part if the work interest so requires;
- Information as requested by the Authority regarding the dealing user;
In addition, the Authority may scrutinise and inspect the encryption systems or equipment before licensing their usage, and it may, whenever necessary, retain a sample and obtain the key (Art. 9).

Art. 20 of the Personal Data Protection Law explicitly mandates data controllers to appoint a Data Protection Officer (DPO). Art. 34 of the Executive Regulations for the Personal Data Protection Law further stipulates that the appointment of a DPO must adhere to specific criteria. Art. 35 delineates the duties of the DPO, which include offering recommendations and guidance on fulfilling obligations under the Law and its Executive Regulations, monitoring the implementation of policies related to personal data protection, ensuring compliance with legal and regulatory requirements, and liaising with the Ministry of Transport, Communications, and Information Technology on issues pertaining to personal data processing.